SOLVED Email bypasses Spamassassin?

SupraMario

Active Member
Mar 28, 2006
27
3
153
I've done hours of reading up on this and cannot find any solution that fits.

Every solution relates to "you have a filter setup that is killing the email"
That would be nice if this email account had any filter.
Would also be nice if the domain account had a 'global filter' set specific to this.

We run spamassassin and these emails are bypassing spamassassin, but still being routed to /dev/null.

Example :
Code:
2017-12-12 17:44:52 1eOeJ3-00082s-Sg H=mail-it0-f45.google.com [209.85.214.45]:45933 Warning: "SpamAssassin as ela34883 detected message as NOT spam (3.1)"
2017-12-12 17:44:52 1eOeJ3-00082s-Sg H=mail-it0-f45.google.com [209.85.214.45]:45933 Warning: Message has been scanned: no virus or other harmful content was found
2017-12-12 17:44:52 1eOeJ3-00082s-Sg <= [email protected] H=mail-it0-f45.google.com [209.85.214.45]:45933 P=esmtps X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=5190 [email protected] T="testing" for [email protected]
2017-12-12 17:44:52 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1eOeJ3-00082s-Sg
2017-12-12 17:44:52 1eOeJ3-00082s-Sg => /dev/null <[email protected]> R=central_filter T=**bypassed**
2017-12-12 17:44:52 1eOeJ3-00082s-Sg Completed

Note spamassassin has "detected message as NOT spam"
-

So I check the 'global' filter in /etc/vfilter/domainanme

-
Code:
# Exim filter - auto-generated by cPanel.
#
# Do not manually edit this file; instead, use cPanel APIs to manipulate
# email filters. MANUAL CHANGES TO THIS FILE WILL BE OVERWRITTEN.
#

if not first_delivery and error_message then finish endif

#Generated Apache SpamAssassin™ Discard Rule
if
 $h_X-Spam-Bar: contains "+++"
then
 save "/dev/null" 660
endif
It's the standard spamassassin rule. I'm completely out of my depth trying to work out what is going on here. This is starting to cause some serious problems with delivery for users, others couldnt work it out so we shifted them to G Suite to bypass this issue as we couldnt get an actual solution.

Cpanel version : v68.0.19
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
Hello,

You can browse to "cPanel >> SpamAssassin" and modify or disable the following option:

Spam Auto-Delete

The "score" setting for this option is separate from the default score SpamAssassin uses to determine if a message is SPAM. If you want to leave the option enabled, try increasing the value to a more conservative number (6 or 7).

Thank you.
 

SupraMario

Active Member
Mar 28, 2006
27
3
153
Disabling auto-delete seems to have worked, my first test went through. I might re-enable it and send the same email again to verify.

2017-12-13 07:24:19 1eOr66-00025b-SJ H=mail-ot0-f176.google.com [74.125.82.176]:39259 Warning: "SpamAssassin as ela34883 detected message as NOT spam (2.3)"
2017-12-13 07:24:19 1eOr66-00025b-SJ H=mail-ot0-f176.google.com [74.125.82.176]:39259 Warning: Message has been scanned: no virus or other harmful content was found
2017-12-13 07:24:19 1eOr66-00025b-SJ <= SENDEREMAIL H=mail-ot0-f176.google.com [74.125.82.176]:39259 P=esmtps X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=4946 [email protected]l.com T="Test 6am" for RECIPIENTEMAIL
2017-12-13 07:24:19 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1eOr66-00025b-SJ
2017-12-13 07:24:19 1eOr66-00025b-SJ => valet <RECIPIENTEMAIL> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <RECIPIENTEMAIL> SDWLKfM6MFpfHAAAlCdKhg Saved"
2017-12-13 07:24:19 1eOr66-00025b-SJ Completed

I am completely confused, HOW and WHY would an email that 'passes' spamassassin rule check, then be 'auto deleted' if it passes all spamassassin's checks???

That seems very much like a bug in the system.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
I am completely confused, HOW and WHY would an email that 'passes' spamassassin rule check, then be 'auto deleted' if it passes all spamassassin's checks???
The "score" setting for the the Auto Delete option is separate from the default score SpamAssassin uses to determine if a message is SPAM. The default score for SpamAssassin itself is configured separately in "cPanel >> SpamAssassin" by clicking on the "Configure Apache SpamAssassin" button at the bottom of the page.

Thank you.
 

SupraMario

Active Member
Mar 28, 2006
27
3
153
Ok, that I never realised and I've been using cpanel system for years now!

so any auto-delete settings that a client (or I) modify for an account, should really be in line with the general spamassassin ruleset, that way if they're both equal it would be easier to diagnose an issue like this.

Since in this instance the autodelete was enabled with score of '3'
General setting was default at '5'

So in my earlier example, the email had a score of '3.1' and was being autodeleted, so it must say '3.1 == 3' and delete, when really 3.1 is higher than 3
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
Hello,

Right, if the "Auto Delete" score is set to "3", then any messages that SpamAssassin scores higher than 3 (e.g. 3.1, 3.2, 4, 5, etc) is automatically removed.

Thank you.
 
  • Like
Reactions: linux4me2

SupraMario

Active Member
Mar 28, 2006
27
3
153
CpanelMichael - 100% ... I just re-read my posts, I don't know why / what planet I was on wondering why 3.1 was being deleted when 3 was the threshold :)

Unless I was thinking golf scores where the lower number = higher .. kicked my brain back into gear now.

Thank you for your assistance with this.
 
  • Like
Reactions: cPanelMichael